Netgear Prosafe srx5308 User manual

350 East Plumeria Drive

San Jose, CA 95134

USA

November 22, 2011

202-10536-03

1.0

ProSafe Gigabit Quad WAN

SSL VPN Firewall SRX5308

Reference Manual

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated

into any language in any form or by any means without the written permission of NETGEAR, Inc.

Technical Support

Thank you for choosing NETGEAR. To register your product, get the latest product updates, get support online, or

for more information about the topics covered in this manual, visit the Support website at

http://support.netgear.com.

Phone (US & Canada only): 1-888-NETGEAR

Phone (Other Countries): Check the list of phone numbers at

http://support.netgear.com/app/answers/detail/a_id/984.

Trademarks

NETGEAR, the NETGEAR logo, and Connect with Innovation are trademarks and/or registered trademarks of

NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Information is subject to change

without notice. Other brand and product names are registered trademarks or trademarks of their respective

Statement of Conditions

To improve internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes

to the products described in this document without notice. NETGEAR does not assume any liability that may occur

due to the use, or application of, the product(s) or circuit layout(s) described herein.

Revision History

Publication

Part Number Version Publish Date Comments

202-10536-03 1.0 November 2011 Incorporated nontechnical edits only (there are no feature

changes).

202-10536-02 1.0 July 2011 Added new features that are documented in the following

sections:

• Configure WAN QoS Profiles

• Inbound Rules (Port Forwarding) and LAN WAN Inbound

Services Rules

• Attack Checks

• Set Session Limits

• Create IP Groups

• Use the NETGEAR VPN Client Wizard to Create a Secure

Connection

• Manually Create a Secure Connection Using the NETGEAR

VPN Client

• Configure the NETGEAR VPN Client for Mode Config

Operation

• Configure Date and Time Service

• Enable the LAN Traffic Meter

202-10536-01 1.0 April 2010 Initial publication of this reference manual.

Contents

Chapter 1 Introduction

What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308? . . .9

Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Quad-WAN Ports for Increased Reliability and

Outbound Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Advanced VPN Support for Both IPSec and SSL. . . . . . . . . . . . . . . . . .11

A Powerful, True Firewall with Content Filtering. . . . . . . . . . . . . . . . . . .11

Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Autosensing Ethernet Connections with Auto Uplink . . . . . . . . . . . . . . .12

Extensive Protocol Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Easy Installation and Management . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Maintenance and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Hardware Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Front Panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Rear Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Bottom Panel with Product Label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Choose a Location for the VPN Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . .17

Use the Rack-Mounting Kit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

Chapter 2 Connecting the VPN Firewall to the Internet

Internet and WAN Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Qualified Web Browsers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Web Management Interface Menu Layout . . . . . . . . . . . . . . . . . . . . . . .23

Configure the Internet Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Automatically Detecting and Connecting . . . . . . . . . . . . . . . . . . . . . . . .25

Set the VPN Firewall’s MAC Address. . . . . . . . . . . . . . . . . . . . . . . . . . .28

Manually Configure the Internet Connection . . . . . . . . . . . . . . . . . . . . .28

Configure the WAN Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

Configure Network Address Translation. . . . . . . . . . . . . . . . . . . . . . . . .33

Configure Classical Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Configure the Auto-Rollover Mode and Failure Detection Method. . . . .34

Configure Load Balancing and Optional Protocol Binding . . . . . . . . . . .36

Configure Secondary WAN Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Configure Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

Configure WAN QoS Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Configure Advanced WAN Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

Additional WAN-Related Configuration Tasks . . . . . . . . . . . . . . . . . . . .54

What to Do Next. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54

Chapter 3 LAN Configuration

Manage Virtual LANs and DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . .55

Port-Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

Assign and Manage VLAN Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . .57

VLAN DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58

Configure a VLAN Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59

Configure VLAN MAC Addresses and LAN Advanced Settings. . . . . . .64

Configure Multi-Home LAN IP Addresses on the Default VLAN . . . . . . . .65

Manage Groups and Hosts (LAN Groups). . . . . . . . . . . . . . . . . . . . . . . . .67

Manage the Network Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68

Change Group Names in the Network Database. . . . . . . . . . . . . . . . . .71

Set Up Address Reservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72

Configure and Enable the DMZ Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

Manage Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76

Configure Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

Configure Routing Information Protocol . . . . . . . . . . . . . . . . . . . . . . . . .79

Static Route Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81

Chapter 4 Firewall Protection

About Firewall Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

Administrator Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83

Use Rules to Block or Allow Specific Kinds of Traffic. . . . . . . . . . . . . . . . .83

Services-Based Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84

Order of Precedence for Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91

Set LAN WAN Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92

Set DMZ WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96

Set LAN DMZ Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99

Inbound Rule Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102

Outbound Rules Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106

Configure Other Firewall Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

Attack Checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

Set Session Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110

Manage the Application Level Gateway for SIP Sessions . . . . . . . . . .112

Create Services, QoS Profiles, and Bandwidth Profiles. . . . . . . . . . . . . .112

Add Customized Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113

Create IP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115

Create Quality of Service (QoS) Profiles . . . . . . . . . . . . . . . . . . . . . . .117

Create Bandwidth Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119

Set a Schedule to Block or Allow Specific Traffic. . . . . . . . . . . . . . . . . . .122

Content Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124

Content Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124

Enable and Configure Content Filtering. . . . . . . . . . . . . . . . . . . . . . . .125

Enable Source MAC Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Set Up IP/MAC Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129

Configure Port Triggering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131

Configure Universal Plug and Play. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133

Chapter 5 Virtual Private Networking

Using IPSec Connections

Considerations for Multi-WAN Port Systems . . . . . . . . . . . . . . . . . . . . . .135

Use the IPSec VPN Wizard for Client and Gateway Configurations . . . .137

Create Gateway-to-Gateway VPN Tunnels with the Wizard . . . . . . . .137

Create a Client-to-Gateway VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . .141

Test the Connection and View Connection and Status Information. . . . .156

Test the NETGEAR VPN Client Connection. . . . . . . . . . . . . . . . . . . . .156

NETGEAR VPN Client Status and Log Information . . . . . . . . . . . . . . .158

View the VPN Firewall IPSec VPN Connection Status. . . . . . . . . . . . .158

View the VPN Firewall IPSec VPN Logs . . . . . . . . . . . . . . . . . . . . . . .159

Manage IPSec VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160

Configure IKE Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160

Configure VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167

Configure Extended Authentication (XAUTH) . . . . . . . . . . . . . . . . . . . . .174

Configure XAUTH for VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . .175

User Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176

RADIUS Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176

Assign IP Addresses to Remote Users (Mode Config). . . . . . . . . . . . . . .178

Mode Config Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178

Configure Mode Config Operation on the VPN Firewall. . . . . . . . . . . .179

Configure the NETGEAR VPN Client for Mode Config Operation . . . .185

Test the Mode Config Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . .192

Modify or Delete a Mode Config Record. . . . . . . . . . . . . . . . . . . . . . . .193

Configure Keep-Alives and Dead Peer Detection . . . . . . . . . . . . . . . . . .193

Configure Keep-Alives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194

Configure Dead Peer Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195

Configure NetBIOS Bridging with IPSec VPN . . . . . . . . . . . . . . . . . . . . .196

Chapter 6 Virtual Private Networking

Using SSL Connections

SSL VPN Portal Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198

Overview of the SSL Configuration Process . . . . . . . . . . . . . . . . . . . . . .199

Create the Portal Layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200

Configure Domains, Groups, and Users. . . . . . . . . . . . . . . . . . . . . . . . . .204

Configure Applications for Port Forwarding . . . . . . . . . . . . . . . . . . . . . . .204

Add Servers and Port Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204

Add a New Host Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206

Configure the SSL VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207

Configure the Client IP Address Range . . . . . . . . . . . . . . . . . . . . . . . .207

Add Routes for VPN Tunnel Clients . . . . . . . . . . . . . . . . . . . . . . . . . . .209

Use Network Resource Objects to Simplify Policies . . . . . . . . . . . . . . . .210

Add New Network Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Edit Network Resources to Specify Addresses . . . . . . . . . . . . . . . . . .211

Configure User, Group, and Global Policies . . . . . . . . . . . . . . . . . . . . . .212

View Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213

Add a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214

Access the SSL Portal Login Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . .218

View the SSL VPN Connection Status and SSL VPN Logs. . . . . . . . . . .220

Chapter 7 Managing Users, Authentication, and Certificates

Configure VPN Authentication Domains, Groups, and Users . . . . . . . . .221

Configure Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221

Configure Groups for VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . .226

Configure User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229

Set User Login Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231

Change Passwords and Other User Settings. . . . . . . . . . . . . . . . . . . .235

Manage Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236

Certificates Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237

Manage CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238

Manage Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239

Manage the Certificate Revocation List . . . . . . . . . . . . . . . . . . . . . . . .243

Chapter 8 Network and System Management

Performance Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244

Bandwidth Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244

Features That Reduce Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245

Features That Increase Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247

Use QoS and Bandwidth Assignment to Shift the Traffic Mix. . . . . . . .249

Monitoring Tools for Traffic Management. . . . . . . . . . . . . . . . . . . . . . .250

System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250

Change Passwords and Administrator Settings. . . . . . . . . . . . . . . . . .250

Configure Remote Management Access . . . . . . . . . . . . . . . . . . . . . . .252

Use the Command-Line Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . .255

Use a Simple Network Management Protocol Manager. . . . . . . . . . . .256

Manage the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258

Configure Date and Time Service . . . . . . . . . . . . . . . . . . . . . . . . . . . .262

Chapter 9 Monitoring System Access and Performance

Enable the WAN Traffic Meter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265

Enable the LAN Traffic Meter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268

Activate Notification of Events, Alerts, and Syslogs. . . . . . . . . . . . . . . . .271

View Status and Log Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276

View the System (Router) Status and Statistics. . . . . . . . . . . . . . . . . .277

View the VLAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282

View and Disconnect Active Users. . . . . . . . . . . . . . . . . . . . . . . . . . . .283

View the VPN Tunnel Connection Status. . . . . . . . . . . . . . . . . . . . . . .284

View the VPN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285

View the Port Triggering Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

View the WAN Port Connection Status. . . . . . . . . . . . . . . . . . . . . . . . .287

View the Attached Devices and DHCP Log . . . . . . . . . . . . . . . . . . . . .289

Use the Diagnostics Utilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291

Send a Ping Packet or Trace a Route . . . . . . . . . . . . . . . . . . . . . . . . .291

Look Up a DNS Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292

Display the Routing Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292

Reboot the VPN Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293

Capture Packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293

Chapter 10 Troubleshooting and Using Online Support

Basic Functioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296

Power LED Not On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296

Test LED Never Turns Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296

LAN or WAN Port LEDs Not On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297

Troubleshoot the Web Management Interface. . . . . . . . . . . . . . . . . . . . .297

When You Enter a URL or IP Address a Time-Out Error Occurs. . . . . . .298

Troubleshoot the ISP Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298

Troubleshoot a TCP/IP Network Using the Ping Utility. . . . . . . . . . . . . . .300

Test the LAN Path to Your VPN Firewall . . . . . . . . . . . . . . . . . . . . . . .300

Test the Path from Your Computer to a Remote Device . . . . . . . . . . .301

Restore the Default Configuration and Password . . . . . . . . . . . . . . . . . .301

Problems with Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302

Access the Knowledge Base and Documentation . . . . . . . . . . . . . . . . . .303

Appendix A Default Settings and Technical Specifications

Appendix B Network Planning for Multiple WAN Ports

What to Consider Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . .308

Cabling and Computer Hardware Requirements . . . . . . . . . . . . . . . . .309

Computer Network Configuration Requirements . . . . . . . . . . . . . . . . .310

Internet Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . .310

Overview of the Planning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312

Inbound Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313

Inbound Traffic to a Single WAN Port System . . . . . . . . . . . . . . . . . . .314

Inbound Traffic to a Dual WAN Port System . . . . . . . . . . . . . . . . . . . .314

Virtual Private Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315

VPN Road Warrior (Client-to-Gateway) . . . . . . . . . . . . . . . . . . . . . . . .316

VPN Gateway-to-Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318

VPN Telecommuter (Client-to-Gateway through a NAT Router) . . . . .321

Appendix C System Logs and Error Messages

System Log Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325

NTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325

System Startup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326

Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Firewall Restart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327

IPSec Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327

Unicast, Multicast, and Broadcast Logs . . . . . . . . . . . . . . . . . . . . . . . .327

WAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328

Resolved DNS Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332

VPN Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332

Traffic Meter Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338

Routing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338

LAN to WAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338

LAN to DMZ Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339

DMZ to WAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339

WAN to LAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339

DMZ to LAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339

WAN to DMZ Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340

Other Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340

Session Limit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340

Source MAC Filter Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340

Bandwidth Limit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341

DHCP Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341

Appendix D Two-Factor Authentication

Why Do I Need Two-Factor Authentication? . . . . . . . . . . . . . . . . . . . . . .343

What Are the Benefits of Two-Factor Authentication? . . . . . . . . . . . . .343

What Is Two-Factor Authentication? . . . . . . . . . . . . . . . . . . . . . . . . . .344

NETGEAR Two-Factor Authentication Solutions . . . . . . . . . . . . . . . . . . .344

Appendix E Notification of Compliance

Index

1. Introduction

This chapter provides an overview of the features and capabilities of the ProSafe Gigabit Quad

WAN SSL VPN Firewall SRX5308. The chapter contains the following sections:

• What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308?

• Key Features and Capabilities

• Package Contents

• Hardware Features

• Choose a Location for the VPN Firewall

Note: For more information about the topics covered in this manual, visit

the NETGEAR support website at http://support.netgear.com.

What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall

SRX5308?

The ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308, hereafter referred to as the

VPN firewall, connects your local area network (LAN) to the Internet through up to four

external broadband access devices such as cable modems or DSL modems. Four wide area

network (WAN) ports allow you to increase effective data rate to the Internet by utilizing all

WAN ports to carry session traffic or to maintain backup connections in case of failure of your

primary Internet connection.

The VPN firewall is a complete security solution that protects your network from attacks and

intrusions. For example, the VPN firewall provides support for stateful packet inspection

(SPI), denial of service (DoS) attack protection, and multi-NAT support. The VPN firewall

supports multiple web content filtering options, plus browsing activity reporting and instant

alerts—both through email. Network administrators can establish restricted access policies

based on time of day, website addresses, and address keywords.

The VPN firewall provides advanced IPSec and SSL VPN technologies for secure and

simple remote connections. The use of Gigabit Ethernet LAN and WAN ports ensures

extremely high data transfer speeds.

Introduction

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

The VPN firewall is a plug-and-play device that can be installed and configured within

minutes.

Key Features and Capabilities

The VPN firewall provides the following key features and capabilities:

• Four 10/100/1000 Mbps Gigabit Ethernet WAN ports for load balancing and failover

protection of your Internet connection, providing increased data rate and increased

system reliability.

• Built-in four-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for extremely fast data

transfer between local network resources and support for up to 200,000 internal or

external connections.

• Advanced IPSec VPN and SSL VPN support with support for up to 125 concurrent IPSec

VPN tunnels and up to 50 concurrent SSL VPN tunnels.

• Bundled with a single-user license of the NETGEAR ProSafe VPN Client software

(VPN01L).

• Advanced stateful packet inspection (SPI) firewall with multi-NAT support.

• Quality of Service (QoS) and SIP 2.0 support for traffic prioritization, voice, and

multimedia.

• Extensive protocol support.

• One console port for local management.

• SNMP support with management optimized for the NETGEAR ProSafe Network

Management Software (NMS100).

• Front panel LEDs for easy monitoring of status and activity.

• Flash memory for firmware upgrade.

• Internal universal switching power supply.

• Rack-mounting kit for 1U rackmounting.

Quad-WAN Ports for Increased Reliability and

Outbound Load Balancing

The VPN firewall provides four broadband WAN ports. These WAN ports allow you to

connect additional broadband Internet lines that can be configured to:

• Load-balance between up to four lines for maximum bandwidth efficiency.

• Provide backup and rollover if one line is inoperable, ensuring that you are never

disconnected.

Introduction

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

See Network Planning for Multiple WAN Ports on page 308 for the planning factors to

consider when implementing the following capabilities with multiple WAN port gateways:

• Single or multiple exposed hosts.

• Virtual private networks (VPNs).

Advanced VPN Support for Both IPSec and SSL

The VPN firewall supports IPSec and SSL VPN connections.

• IPSec VPN delivers full network access between a central office and branch offices, or

between a central office and telecommuters. Remote access by telecommuters requires

the installation of VPN client software on the remote computer.

-IPSec VPN with broad protocol support for secure connection to other IPSec

gateways and clients.

-Bundled with a single-user license of the NETGEAR ProSafe VPN Client software

(VPN01L).

-Supports 125 concurrent IPSec VPN tunnels.

• SSL VPN provides remote access for mobile users to selected corporate resources

without requiring a preinstalled VPN client on their computers.

-Uses the familiar Secure Sockets Layer (SSL) protocol, commonly used for

e-commerce transactions, to provide client-free access with customizable user

portals and support for a wide variety of user repositories.

-Browser-based, platform-independent, remote access through a number of popular

browsers, such as Microsoft Internet Explorer, Mozilla Firefox, and Apple Safari.

-Provides granular access to corporate resources based on user type or group

membership.

-Supports 50 concurrent SSL VPN sessions.

A Powerful, True Firewall with Content Filtering

Unlike simple NAT routers, the VPN firewall is a true firewall, using stateful packet inspection

(SPI) to defend against hacker attacks. Its firewall features have the following capabilities:

• DoS protection.Automatically detects and thwarts denial of service (DoS) attacks such

as Ping of Death and SYN flood.

• Secure firewall.Blocks unwanted traffic from the Internet to your LAN.

• Content filtering. Prevents objectionable content from reaching your computers. You

can control access to Internet content by screening for web services, web addresses, and

keywords within web addresses. You can configure the VPN firewall to log and report

attempts to access objectionable Internet sites.

• Schedule policies. Permits scheduling of firewall policies by day and time.

• Logs security incidents.Logs security events such as blocked incoming traffic, port

scans, attacks, and administrator logins. You can configure the VPN firewall to email the

Introduction

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

log to you at specified intervals. You can also configure the VPN firewall to send

immediate alert messages to your email address or email pager when a significant event

occurs.

Security Features

The VPN firewall is equipped with several features designed to maintain security:

• Computers hidden by NAT. NAT opens a temporary path to the Internet for requests

originating from the local network. Requests originating from outside the LAN are

discarded, preventing users outside the LAN from finding and directly accessing the

computers on the LAN.

• Port forwarding with NAT.Although NAT prevents Internet locations from directly

accessing the computers on the LAN, the VPN firewall allows you to direct incoming

traffic to specific computers based on the service port number of the incoming request.

You can specify forwarding of single ports or ranges of ports.

• DMZ port. Incoming traffic from the Internet is normally discarded by the VPN firewall

unless the traffic is a response to one of your local computers or a service for which you

have configured an inbound rule. Instead of discarding this traffic, you can use the

dedicated demilitarized zone (DMZ) port to forward the traffic to one computer on your

network.

Autosensing Ethernet Connections with Auto Uplink

With its internal four-port 10/100/1000 Mbps switch and four 10/100/1000 WAN ports, the

VPN firewall can connect to either a 10 Mbps standard Ethernet network, a 100 Mbps Fast

Ethernet network, or a 1000 Mbps Gigabit Ethernet network. The four LAN and four WAN

interfaces are autosensing and capable of full-duplex or half-duplex operation.

The VPN firewall incorporates Auto UplinkTM technology. Each Ethernet port automatically

senses whether the Ethernet cable plugged into the port should have a normal connection

such as to a computer or an uplink connection such as to a switch or hub. That port then

configures itself correctly. This feature eliminates the need for you to think about crossover

cables, as Auto Uplink accommodates either type of cable to make the right connection.

Extensive Protocol Support

The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and

Routing Information Protocol (RIP). For further information about TCP/IP, see Internet

Configuration Requirements on page 310. The VPN firewall provides the following protocol

support:

• IP address sharing by NAT. The VPN firewall allows many networked computers to

share an Internet account using only a single IP address, which might be statically or

dynamically assigned by your Internet service provider (ISP). This technique, known as

NAT, allows the use of an inexpensive single-user ISP account.

Introduction

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

• Automatic configuration of attached computers by DHCP. The VPN firewall

dynamically assigns network configuration information, including IP, gateway, and

Domain Name Server (DNS) addresses, to attached computers on the LAN using the

Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies

configuration of computers on your local network.

• DNS proxy. When DHCP is enabled and no DNS addresses are specified, the VPN

firewall provides its own address as a DNS server to the attached computers. The VPN

firewall obtains actual DNS addresses from the ISP during connection setup and

forwards DNS requests from the LAN.

• PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the

Internet over a DSL connection by simulating a dial-up connection. This feature

eliminates the need to run a login program.

• Quality of Service (QoS).The VPN firewall supports QoS, including traffic prioritization

and traffic classification with Type of Service (ToS) and Differentiated Services Code

Point (DSCP) marking.

Easy Installation and Management

You can install, configure, and operate the VPN firewall within minutes after connecting it to

the network. The following features simplify installation and management tasks:

• Browser-based management. Browser-based configuration allows you to easily

configure the VPN firewall from almost any type of operating system, such as Windows,

Macintosh, or Linux. Online help documentation is built into the browser-based web

management interface.

• Autodetection of ISP. The VPN firewall automatically senses the type of Internet

connection, asking you only for the information required for your type of ISP account.

• IPSec VPN Wizard. The VPN firewall includes the NETGEAR IPSec VPN Wizard so you

can easily configure IPSec VPN tunnels according to the recommendations of the Virtual

Private Network Consortium (VPNC) to ensure that the IPSec VPN tunnels are

interoperable with other VPNC-compliant VPN routers and clients.

• SNMP. The VPN firewall supports the Simple Network Management Protocol (SNMP) to

let you monitor and manage log resources from an SNMP-compliant system manager.

The SNMP system configuration lets you change the system variables for MIB2.

• Diagnostic functions. The VPN firewall incorporates built-in diagnostic functions such

as ping, traceroute, DNS lookup, and remote reboot.

• Remote management. The VPN firewall allows you to log in to the web management

interface from a remote location on the Internet. For security, you can limit remote

management access to a specified remote IP address or range of addresses.

• Visual monitoring. The VPN firewall’s front panel LEDs provide an easy way to monitor

its status and activity.

Introduction

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Maintenance and Support

NETGEAR offers the following features to help you maximize your use of the VPN firewall:

• Flash memory for firmware upgrades.

• Technical support seven days a week, 24 hours a day. Information about support is

available on the NETGEAR website at

http://support.netgear.com/app/answers/detail/a_id/212.

Package Contents

The VPN firewall product package contains the following items:

• ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 appliance

• One AC power cable

• Rubber feet (4)

• One Category 5 (Cat 5) Ethernet cable

• One rack-mounting kit

• ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Installation Guide

• Resource CD, including:

-Application Notes and other helpful information

-ProSafe VPN Client software (VPN01L)

If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep

the carton, including the original packing materials, in case you need to return the product for

repair.

Hardware Features

The front panel ports and LEDs, rear panel ports, and bottom label of the VPN firewall are

described in the following sections.

Front Panel

Viewed from left to right, the VPN firewall front panel contains the following ports (see the

following figure).

• LAN Ethernet ports. Four switched N-way automatic speed negotiating, Auto MDI/MDIX,

Gigabit Ethernet ports with RJ-45 connectors

• WAN Ethernet ports. Four independent N-way automatic speed negotiating, Auto

MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors

Introduction

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

The front panel also contains three groups of status indicator light-emitting diodes (LEDs),

including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in the

following table.

Figure 1.

Table 1. LED descriptions

LED Activity Description

Power On (green) Power is supplied to the VPN firewall.

Off Power is not supplied to the VPN firewall.

Test On (amber) during

startup. Test mode: The VPN firewall is initializing. After approximately

2 minutes, when the VPN firewall has completed its initialization, the

Test LED goes off.

On (amber) during

any other time The initialization has failed, or a hardware failure has occurred.

Blinking (amber) The VPN firewall is writing to flash memory (during upgrading or

resetting to defaults).

Off The system has booted successfully.

LAN Ports

Left LED On (green) The LAN port has detected a link with a connected Ethernet device.

Blinking (green) Data is being transmitted or received by the LAN port.

Off The LAN port has no link.

Right LED On (green) The LAN port is operating at 1000 Mbps.

On (amber) The LAN port is operating at 100 Mbps.

Off The LAN port is operating at 10 Mbps.

Power LED

Test LED

Left LAN LEDs

Right LAN LEDs

DMZ LEDLeft WAN LEDs

Right WAN LEDs

LEDs

Internet

Introduction

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Rear Panel

The rear panel of the VPN firewall includes a console port, a Factory Defaults Reset button, a

cable lock receptacle, an AC power connection, and a power switch.

Figure 2.

Viewed from left to right, the rear panel contains the following components:

1. Cable security lock receptacle.

2. Console port. Port for connecting to an optional console terminal. The port has a DB9 male

connector. The default baud rate is 9600 K. The pinouts are (2) Tx, (3) Rx, (5) and (7) Gnd.

For information about accessing the command-line interface (CLI) using the console port,

see Use the Command-Line Interface on page 255.

DMZ LED On (green) Port 4 is operating as a dedicated hardware DMZ port.

Off Port 4 is operating as a normal LAN port.

WAN Ports

Left LED On (green) The WAN port has a valid connection with a device that provides an

Internet connection.

Blinking (green) Data is being transmitted or received by the WAN port.

Off The WAN port has no physical link, that is, no Ethernet cable is

plugged into the VPN firewall.

Right LED On (green) The WAN port is operating at 1000 Mbps.

On (amber) The WAN port is operating at 100 Mbps.

Off The WAN port is operating at 10 Mbps.

Internet LED On (green) The WAN port has a valid Internet connection.

Off The WAN port is either not enabled or has no link to the Internet.

Table 1. LED descriptions (continued)

LED Activity Description

Security lock

receptacle

Console port

Factory Defaults

AC power

receptacle

Power

switch

Reset button

Introduction

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

3. Factory Defaults Reset button. Using a sharp object, press and hold this button for about

8 seconds until the front panel Test LED flashes to reset the VPN firewall to factory default

settings. All configuration settings are lost, and the default password is restored.

4. AC power receptacle. Universal AC input (100–240 VAC, 50–60 Hz).

5. A power on/off switch.

Bottom Panel with Product Label

The product label on the bottom of the VPN firewall’s enclosure displays factory default

settings, regulatory compliance, and other information.

Figure 3.

Choose a Location for the VPN Firewall

The VPN firewall is suitable for use in an office environment where it can be freestanding (on

its runner feet) or mounted into a standard 19-inch equipment rack. Alternatively, you can

rack-mount the VPN firewall in a wiring closet or equipment room. A rack-mounting kit,

containing two mounting brackets and four screws, is provided in the package.

Consider the following when deciding where to position the VPN firewall:

• The unit is accessible, and cables can be connected easily.

• Cabling is away from sources of electrical noise. These include lift shafts, microwave

ovens, and air-conditioning units.

• Water or moisture cannot enter the case of the unit.

Introduction

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

• Airflow around the unit and through the vents in the side of the case is not restricted.

Provide a minimum of 25 mm or 1 inch clearance.

• The air is as free of dust as possible.

• Temperature operating limits are not likely to be exceeded. Install the unit in a clean,

air-conditioned environment. For information about the recommended operating

temperatures for the VPN firewall, see Appendix A, Default Settings and Technical

Specifications.

Use the Rack-Mounting Kit

Use the mounting kit for the VPN firewall to install the appliance in a rack. Attach the

mounting brackets using the hardware that is supplied with the mounting kit.

Figure 4.

Before mounting the VPN firewall in a rack, verify that:

• You have the correct screws (supplied with the installation kit).

• The rack onto which you will mount the VPN firewall is suitably located.

2. Connecting the VPN Firewall to the

Internet

This chapter contains the following sections:

• Internet and WAN Configuration Tasks

• Log In to the VPN Firewall

• Configure the Internet Connections

• Configure the WAN Mode

• Configure Secondary WAN Addresses

• Configure Dynamic DNS

• Configure WAN QoS Profiles

• Configure Advanced WAN Options

• What to Do Next

Internet and WAN Configuration Tasks

Typically, the VPN firewall is installed as a network gateway to function as a combined LAN

switch and firewall in order to protect the network from incoming threats and provide secure

connections. To complement the firewall protection, NETGEAR advises that you use a

gateway security appliance such as a NETGEAR ProSecure STM appliance.

Generally, seven steps are required to complete the Internet connection of your VPN

firewall:

1. Connect the VPN firewall physically to your network. Connect the cables and restart

your network according to the instructions in the installation guide. See the ProSafe

Gigabit Quad WAN SSL VPN Firewall SRX5308 Installation Guide for complete steps. A

PDF of the Installation Guide is on the NETGEAR website at

http://support.netgear.com/app/products/model/a_id/13568.

2. Log in to the VPN firewall. After logging in, you are ready to set up and configure your

VPN firewall. See Log In to the VPN Firewall on page 20.

3. Configure the Internet connections to your ISPs. During this phase, you connect to your

ISPs. You can also program the WAN traffic meters at this time if desired. See Configure the

Internet Connections on page 24.

Connecting the VPN Firewall to the Internet

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

4. Configure the WAN mode. Select either NAT or classical routing. Select load balancing

mode, auto-rollover mode, or primary (single) WAN mode. For load balancing, you can also

select any necessary protocol bindings. See Configure the WAN Mode on page 32.

5. Configure secondary WAN addresses on the WAN ports (optional). Configure aliases

for each WAN port. See Configure Secondary WAN Addresses on page 41.

6. Configure Dynamic DNS on the WAN ports (optional). Configure your fully qualified

domain names. See Configure Dynamic DNS on page 42.

7. Configure the WAN options (optional). You can enable each WAN port to respond to a

ping, and you can change the factory default MTU size and port speed. However, these are

advanced features, and changing them is not usually required. See Configure Advanced

WAN Options on page 51.

Each of these tasks is detailed separately in this chapter.

Note: For information about how to configure the WAN meters, see Enable

the WAN Traffic Meter on page 265.

The configuration of LAN, firewall, scanning, VPN, management, and monitoring features is

described in later chapters.

Qualified Web Browsers

To configure the VPN firewall, you need to use a web browser such as Microsoft Internet

Explorer 6 or later, Mozilla Firefox 3 or later, or Apple Safari 3 or later with JavaScript,

cookies, and SSL enabled.

Although these web browsers are qualified for use with the VPN firewall’s web management

interface, SSL VPN users should choose a browser that supports JavaScript, Java, cookies,

SSL, and ActiveX to take advantage of the full suite of applications. Note that Java is required

only for the SSL VPN portal, not for the web management interface.

To connect to the VPN firewall, your computer needs to be configured to obtain an IP address

automatically from the VPN firewall through DHCP.

To connect and log in to the VPN firewall:

1. Start any of the qualified web browsers, as explained in Qualified Web Browsers on

page 20.

2. Enter https://192.168.1.1 in the address field. The NETGEAR Configuration Manager Login

screen displays in the browser.

Other manuals for ProSAFE SRX5308

Table of contents

Other NETGEAR Firewall manuals

NETGEAR

NETGEAR ProSAFE FVS318G v2 User manual

NETGEAR

NETGEAR ProSafe FR114P User manual

NETGEAR

NETGEAR FVS336Gv1 - ProSafe Dual WAN Gigabit... User manual

NETGEAR

NETGEAR ProSafe FVS318N User manual

NETGEAR

NETGEAR FVG318 - ProSafe 802.11g Wireless VPN Firewall 8... Specification sheet

NETGEAR

NETGEAR ProSafe FVX538 User manual

NETGEAR

NETGEAR UTM5 - ProSecure Unified Threat Management... User manual

NETGEAR

NETGEAR FVS124G - ProSafe VPN Firewall 25 User manual

NETGEAR

NETGEAR FVS318G - ProSafe Gigabit VPN Firewall Data Sheet... User manual

NETGEAR

NETGEAR FVG318 - ProSafe 802.11g Wireless VPN Firewall 8... User manual

NETGEAR

NETGEAR FVL328 - Cable/DSL ProSafe VPN Firewall... User manual

NETGEAR

NETGEAR ProSafe FVS318N User manual

NETGEAR

NETGEAR SRXN3205 - ProSafe Wireless-N VPN Firewall Wireless... User manual

NETGEAR

NETGEAR FVS336Gv2 - ProSafe Dual WAN Gigabit... User manual

NETGEAR

NETGEAR STM150 - ProSecure Web And Email Threat Management... User manual

NETGEAR

NETGEAR ProSafe FVS318N User manual

NETGEAR

NETGEAR FVS124G - ProSafe VPN Firewall 25 User manual

NETGEAR

NETGEAR ProSAFE SRX5308 User manual

NETGEAR

NETGEAR ProSAFE SRX5308 User manual

NETGEAR

NETGEAR ProSAFE SRX5308 User manual

NETGEAR

NETGEAR ProSAFE SRX5308 User manual

NETGEAR

NETGEAR FVS338 - ProSafe VPN Firewall 50 Router Installation and operating instructions

NETGEAR

NETGEAR FVS338 - ProSafe VPN Firewall 50 Router User manual

NETGEAR

NETGEAR FVS336G - ProSafe Dual WAN Gigabit Firewall User manual

Popular Firewall manuals by other brands

Cisco

Cisco PIX-525-UR-BUN - PIX 525 Unrestricted Bundle user guide

Watchguard

Watchguard Firebox SOHO 6.1 user guide

Dell

Dell NSA E8500 Getting started guide

Draytek

Draytek Vigor 5510Gi Specifications

Tosibox

Tosibox Lock 200 quick start guide

Fortinet

Fortinet FortiGate FG-80C manual

Fortinet

Fortinet FortiGate-50A quick start guide

Fortinet

Fortinet FortiGate Voice Series quick start guide

Draytek

Draytek Vigor2952 Series quick start guide

XRoads Networks

XRoads Networks EdgeXOS Platform Notes

Global Technology

Global Technology GB-750 Product guide

Draytek

Draytek Vigor2866 Series quick start guide

Alpha Shield

Alpha Shield FIREWALL user manual

Watchguard

Watchguard QMS 1200 quick start guide

Real Fires

Real Fires 900 Installation instruction

Watchguard

Watchguard SOHO user guide

Checkpoint

Checkpoint UTM-1 Edge W16 Brochure & specs

Watchguard

Watchguard Firebox M440 quick start guide